Now Snort will run as user snort in group snort. Should improve security. The other options make it log to {{Filename|/var/log/snort}} in ASCII mode. Run ''snort -h'' to see other available options.

+

Now Snort will run as user snort in group snort. Should improve security. The other options make it log to {{ic|/var/log/snort}} in ASCII mode. Run ''snort -h'' to see other available options.

I have been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I did not know what to do with all the logs anyway.

I have been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I did not know what to do with all the logs anyway.

Line 53:

Line 53:

===Oinkmaster setup===

===Oinkmaster setup===

−

Edit {{Filename|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.

+

Edit {{ic|/etc/oinkmaster.conf}} and look for the URL section and uncomment the 2.4 line. Make sure to replace ''<oinkcode>'' by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.

At the bottom of the file, there is a list of includes. These define which rules you want to enforce. (Un)comment as you please. You should check that the corresponding file exists, as for me, none of the rules files were present.

Now Snort will run as user snort in group snort. Should improve security. The other options make it log to /var/log/snort in ASCII mode. Run snort -h to see other available options.

I have been running my router for 12 days now, and using the above snort options, I had around 120MB of logs! So I changed the -A switch to "-A none". This only logs alerts. I did not know what to do with all the logs anyway.

Update the rules: Oinkmaster

If you want to be able to download Snort's latest rules, you will need a subscription. This costs money. If you are happy enough with 5 days old rules, you just need to register for free. If you do not, the only updates you will get are the new rules distributed with a new Snort release.
Go ahead and register at Snort. If you really do not want to register, you can use the rules from BleedingSnort.com. They are bleeding edge, meaning they have not been tested thoroughly.

Oinkmaster setup

Edit /etc/oinkmaster.conf and look for the URL section and uncomment the 2.4 line. Make sure to replace <oinkcode> by the Oink code you generated after logging into your Snort account. For Bleeding Snort rules, uncomment the appropriate line.

When you log into your new account, create an "Oink code".
Another thing to change is